Today I received a fax from a bank. It contained a name, address, savings and checking account numbers, and the last four of the person’s social security number. It also included current and average balances. The thing is, this was not for me. It was sent to me by mistake. Use of fax technology today for sending documents containing sensitive information is not really a good idea.

The risk

It isn’t hard to use a wrong phone number for voice or fax. It could be written down or entered incorrectly. This relies on user behavior, at some point, to ensure sensitive information is not sent to a random location. This is one reason my banks don’t use fax communication to send documents to me that contain PII. As consumers, it is our responsibility to ensure that anyone with whom we do business is properly securing our information. In this case, I would never use this bank again if it couldn’t provide a better way.

Solutions

For example, the use of an email notifying me that private documentation is ready for me might provide a link to where I can access it. Access would require my password and possibly other information. My bank provides two-factor authentication to provide strong authentication.

Another approach is using secure email. Secure email is easy to use if your bank doesn’t provide it. It provides strong protection from the unauthorized. Small businesses can usually get by with no cost. Larger businesses simply need to take this on as a cost of doing business.

Due diligence

Although it’s difficult to believe that some banks and other businesses still don’t get it, we as security professionals have to ensure our businesses don’t suffer because of weak vendor controls. This is part of risk management.

When engaging with any vendor, one of the risk assessment items must be how we will exchange sensitive documents. Simple FTP, unsecure email, and faxing are just not secure enough, in my opinion. If the vendor won’t set up secure transfer controls, it is up to us to mitigate the risk ourselves. We do this by implementing services ourselves or by looking for another vendor. From a business perspective, the cost of implementing controls can be spread across interactions with other vendors that also can’t or are unwilling to mitigate the document transfer risk.

Some name

Independent security researcher and IT professional with over 36 years of experience in programming, network engineering and security. Author of four books (Just Enough Security, Microsoft Virtualization, Enterprise Security: A Practitioner's Guide, and Incident Management and Response Guide) and various papers on security management.